CSP 1.1: `plugin-types` no longer parses in a draconian fashion.
authorMike West <mkwst@google.com>
Fri, 27 Jul 2012 16:01:07 +0200
changeset 1434700cb782553
parent 142 5e6fdb226239
child 144 173a53cc0076
CSP 1.1: `plugin-types` no longer parses in a draconian fashion.

After a bit of discussion[1], it seems that there's consensus to revert the
earlier change to `plugin-types`'s behavior with regard to grammatically invalid
media types. Given `plugin-types invalid application/pdf;`, the policy will
allow resources of type `application/pdf` to load, and simply ignore the
`invalid` media type.

Two reasons for this change:

1. `plugin-types`, unlike `script-nonce`, fails closed. That is, it defaults to
an empty set of media types, and only allows those it understands. A
draconian policy doesn't really enhance this effect[2].

2. We'd like to retain the ability to extend the media type list grammar in the
future, perhaps by adding hosts[3].

[1]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0073.html
[2]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0077.html
[3]: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0078.html
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Sat Jul 21 20:44:04 2012 -0500
     1.2 +++ b/csp-specification.dev.html	Fri Jul 27 16:01:07 2012 +0200
     1.3 @@ -580,6 +580,51 @@
     1.4              obtained by parsing the source list <code>'none'</code>.</p>
     1.5            </section>
     1.6          </section>
     1.7 +
     1.8 +        <section>
     1.9 +          <h4>Media Type List</h4>
    1.10 +
    1.11 +          <p>The experimental
    1.12 +          <a href="#plugin-types--experimental"><code>plugin-types</code></a>
    1.13 +          directive uses a value consisting of a <dfn>media type list</dfn>.</p>
    1.14 +
    1.15 +          <p>Each <dfn>media type</dfn> in the media type list represents a
    1.16 +          specific type of resource that can be retrieved and used to
    1.17 +          instantiate a <a href="http://www.whatwg.org/specs/web-apps/current-work/#plugin">plugin</a>
    1.18 +          in the protected resource.</p>
    1.19 +
    1.20 +<pre>
    1.21 +media-type        = &lt;type from RFC 2045&gt; "/" &lt;subtype from RFC 2045&gt;
    1.22 +</pre>
    1.23 +
    1.24 +          <section>
    1.25 +            <h5>Parsing</h5>
    1.26 +
    1.27 +            <p>To <dfn id="parse-a-media-type-list">parse a media type
    1.28 +            list</dfn> <var>media type list</var>, the user agent MUST use an
    1.29 +            algorithm equivalent to the following:</p>
    1.30 +
    1.31 +            <ol>
    1.32 +              <li>Let the <var>set of media types</var> be the empty set.</li>
    1.33 +
    1.34 +              <li>For each token returned by <a href="http://www.w3.org/TR/html5/common-microsyntaxes.html#split-a-string-on-spaces">splitting
    1.35 +              <var>media type list</var> on spaces</a>, if the token matches the
    1.36 +              grammar for <code>media-type</code>, add the token to the
    1.37 +              <var>set of media types</var>. Otherwise ignore the token.</li>
    1.38 +
    1.39 +              <li>Return the <var>set of media types</var>.</li>
    1.40 +            </ol>
    1.41 +          </section>
    1.42 +
    1.43 +          <section>
    1.44 +            <h5>Matching</h5>
    1.45 +
    1.46 +            <p>A media type <dfn>matches a media type list</dfn> if, and only
    1.47 +            if, the media type is a case-insensitive match for at least one
    1.48 +            token in the set of media types obtained by <a href="#parse-a-media-type-list">parsing
    1.49 +            the media type list</a>.
    1.50 +          </section>
    1.51 +        </section>
    1.52        </section>
    1.53  
    1.54        <section>
    1.55 @@ -1411,23 +1456,20 @@
    1.56  <pre>
    1.57  directive-name    = "plugin-types"
    1.58  directive-value   = media-type *( 1*WSP media-type )
    1.59 -media-type        = &lt;type from RFC 2045&gt; "/" &lt;subtype from RFC 2045&gt;
    1.60  </pre>
    1.61  
    1.62 -        <p>If the <code>plugin-types</code> directive's value is empty,
    1.63 -        consists solely of whitespace, or contains invalid characters, let the
    1.64 -        <dfn>allowed plugin media types</dfn> be the empty set. Otherwise, the
    1.65 -        term refers to the <code>plugin-types</code> directive's value, <a
    1.66 -        href="http://www.whatwg.org/specs/web-apps/current-work/#split-a-string-on-spaces">split
    1.67 -        on spaces</a>.</p>
    1.68 +        <p>The term <dfn>allowed media types</dfn> refers to the result of
    1.69 +        <a href="#parse-a-media-type-list">parsing the <code>plugin-types</code>
    1.70 +        directive's value as a media type list</a></p>
    1.71  
    1.72          <p>When enforcing the <code>plugin-types</code> directive:</p>
    1.73          <ul>
    1.74              <li>Whenever the user agent would instantiate a <a
    1.75              href="http://www.whatwg.org/specs/web-apps/current-work/#plugin">plugin</a>
    1.76 -            for the protected resource to handle a resource whose media type is
    1.77 -            not contained in the list of <a href="#dfn-allowed-plugin-media-types">allowed plugin media types</a>,
    1.78 -            instead the user agent MUST act as though the plugin reported an
    1.79 +            for the protected resource to handle a resource whose media type
    1.80 +            does not <a href="#match-a-media-type-list">match</a> the list of
    1.81 +            <a href="#dfn-allowed-plugin-media-types">allowed plugin media types</a>,
    1.82 +            the user agent MUST instead act as though the plugin reported an
    1.83              error (which will cause the user agent to display the <a
    1.84              href="http://www.whatwg.org/specs/web-apps/current-work/#fallback-content">fallback
    1.85              content</a>).</li>